NutzCN Logo
问答 为什么取到的uid是上一次登陆的账号呢?
发布于 2785天前 作者 shusheng 1989 次浏览 复制 上一个帖子 下一个帖子
标签:

a账号登陆,a账号退出,b账号登陆,发现取到的uid是a的,为什么?

@POST
	@At("/images")
	@AdaptBy(type=WhaleAdaptor.class)
	@Filters(@By(type=AccessTokenFilter.class))
	public Object images(@Param("Filedata")TempFile tmp) throws Exception {
		int userId = Toolkit.uid();
		return yvrService.upload(tmp, userId);
	}
20 回复

如何登出的

SecurityUtils.getSubject().logout();
			int uid = Toolkit.uid();
			if(uid <= 0){
				return ServiceUtil.success("退出成功");
			}
			String temp = u_sessionId+uid;
			Set<String> smembers = jedis().smembers(temp);
			if(smembers != null){
				ArrayList<String> arr = new ArrayList<>();
				for (String sessionId : smembers) {
					if(sessionId == null){
						continue;
					}
					Subject subject = new Subject.Builder().sessionId(sessionId).buildSubject();
					arr.add(sessionId);
					if (subject == null){
						continue;
					}
					subject.logout();
				}
				// 移除关联
				for (String sessionId : arr) {
					jedis().srem(temp, sessionId);
				}

			}

第一句logout之后,第二句的uid肯定等于0啦

后面的代码只是为了清除redis中的数据,这是改过后的样子,发现这个问题的时候,取uid是在logout之前的
@wendal

发现了,标注了AccessTokenFilter,那 这个入口方法的用户信息是access token决定的,不存在登入登出,access token已经决定了用户id

package net.wendal.nutzbook.mvc;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.nutz.integration.shiro.SimpleShiroToken;
import org.nutz.lang.Lang;
import org.nutz.lang.Strings;
import org.nutz.lang.util.NutMap;
import org.nutz.log.Log;
import org.nutz.log.Logs;
import org.nutz.mvc.ActionContext;
import org.nutz.mvc.ActionFilter;
import org.nutz.mvc.impl.processor.AbstractProcessor;
import org.nutz.mvc.view.UTF8JsonView;
import org.nutz.mvc.view.ViewWrapper;

import com.sun.org.apache.xml.internal.resolver.helpers.Debug;

import net.wendal.nutzbook.module.BaseModule;
import net.wendal.nutzbook.service.yvr.YvrService;

/**
 * 通过请求参数中的accesstoken进行授权
 * @author wendal
 *
 */
public class AccessTokenFilter extends AbstractProcessor implements ActionFilter {
	
	private static final Log log = Logs.get();
	
	YvrService yvrService;

	public ViewWrapper match(ActionContext ac) {
		if (yvrService == null)
			yvrService = ac.getIoc().get(YvrService.class);
		HttpServletRequest req = ac.getRequest();
		String at = req.getParameter("accesstoken");
		NutMap re = new NutMap().setv("ok", 0);
		String loginname = req.getParameter("Api-Loginname");
		String nonce = req.getParameter("Api-Nonce");
		String key = req.getParameter("Api-Key");
		String time = req.getParameter("Api-Time");
		log.debug("-accesstoken--"+at+"--loginname--"+loginname+"--nonce--"+nonce+"--key--"+key+"--time--"+time);
		if (req.getParameter("Api-Version") != null) {
			log.debug("api version = " + req.getParameter("Api-Version"));
			if (Strings.isBlank(loginname) || Strings.isBlank(nonce) || Strings.isBlank(key) || Strings.isBlank(time)) {
				return new ViewWrapper(new UTF8JsonView(),re.setv("msg", "没有登陆1"));
			}
			if (!yvrService.checkNonce(nonce, time)){
				return new ViewWrapper(new UTF8JsonView(),re.setv("msg", "没有登陆2"));
			}
			at = yvrService.accessToken(loginname);
			if (Strings.isBlank(at)) {
				log.info("AccessTokenFilter|match|loginname="+loginname);
				return new ViewWrapper(new UTF8JsonView(),re.setv("msg", "没有登陆3").setv("loginname", loginname));
			}
			String tmp = Strings.join(",", at, loginname, nonce, time);
			String _key = Lang.sha1(tmp);
			log.debug("tmp="+tmp);
			log.debug("_key=" + _key);
			log.debug(" key=" + key);
			if (!_key.equals(key)) {
				return new ViewWrapper(new UTF8JsonView(),re.
						setv("msg", "没有登陆4").setv("_key", _key).setv("key", key));
			}
			log.debug("api access token check ok");
		} 
		else if (Strings.isBlank(at)) { // TODO 移除这种兼容性,改成必须用nonce加密
			return new ViewWrapper(new UTF8JsonView(),re.setv("msg", "没有登陆5"));
		}
		int uid = yvrService.getUserByAccessToken(at);
		log.debug("-----------uid--"+uid);
		if (uid < 1) {
			return new ViewWrapper(new UTF8JsonView(),re.setv("msg", "没有登陆6"));
		}
		SecurityUtils.getSubject().getSession().setAttribute("me", uid);
		return null;
	}

	public void process(ActionContext ac) throws Throwable {
		Subject subject = SecurityUtils.getSubject();
		Integer uid = (Integer) subject.getSession().getAttribute("me");
		if (!subject.isAuthenticated())
			subject.login(new SimpleShiroToken(uid));
		doNext(ac);
		if (!subject.isAuthenticated())
			subject.logout();
	}
}

SecurityUtils.getSubject().getSession().setAttribute("me", uid);可以取这个值来确定当前是哪个用户吗,我在入口函数中,get me时,获得的当前用户uid是对的
@wendal

看这个AccessTokenFilter 的方法,似乎是下面的方法process没有执行呀

那就debug一下process方法,看看里面的login方法调用了没

if (!subject.isAuthenticated())
			subject.login(new SimpleShiroToken(uid));

没有走到登陆里面去,在哪里授权可以登陆的?
@wendal

改成这样试试

	public void process(ActionContext ac) throws Throwable {
		Subject subject = SecurityUtils.getSubject();
		Integer uid = (Integer) subject.getSession().getAttribute("me");
		if (!subject.isAuthenticated())
			subject.login(new SimpleShiroToken(uid));
		doNext(ac);
		subject.logout();
	}

结果一样,没变化。。。


// public void process(ActionContext ac) throws Throwable { // Subject subject = SecurityUtils.getSubject(); // Integer uid = (Integer) subject.getSession().getAttribute("me"); // log.debug("---AccessTokenFilter---process-----uid--"+uid); // if (!subject.isAuthenticated()) // subject.login(new SimpleShiroToken(uid)); // doNext(ac); // log.debug("-aa--AccessTokenFilter---process-----uid--"+uid); // if (!subject.isAuthenticated()) // subject.logout(); // }

你全注释掉干啥?

把你的代码加上去了
@wendal

//	public void process(ActionContext ac) throws Throwable {
//		Subject subject = SecurityUtils.getSubject();
//		Integer uid = (Integer) subject.getSession().getAttribute("me");
//		log.debug("---AccessTokenFilter---process-----uid--"+uid);
//		if (!subject.isAuthenticated())
//			subject.login(new SimpleShiroToken(uid));
//		doNext(ac);
//		log.debug("-aa--AccessTokenFilter---process-----uid--"+uid);
//		if (!subject.isAuthenticated())
//			subject.logout();
//	}

	public void process(ActionContext ac) throws Throwable {
		Subject subject = SecurityUtils.getSubject();
		Integer uid = (Integer) subject.getSession().getAttribute("me");
		if (!subject.isAuthenticated())
			subject.login(new SimpleShiroToken(uid));
		doNext(ac);
		subject.logout();
	}

啥?我改的就是一律logout,每次请求结束的时候

但是if语句中的登陆还是不会走呀?

你是不是执行过什么,导致请求用其他方式执行过login?

这样试试

	public void process(ActionContext ac) throws Throwable {
		Subject subject = SecurityUtils.getSubject();
		Long uid = (Long) subject.getSession().getAttribute("me");
                if (subject.isAuthenticated())
                     subject.logout(); // 强制登出
               subject.login(new SimpleShiroToken(uid)); // 登入
              doNext(ac);
              subject.logout(); // 登出
	}

添加回复
请先登陆
回到顶部